Despite being adopted by consensus, with broad support from member states, the UN Convention against Cybercrime has hit an early stumbling block. A clear divide over the participation of non‑state stakeholders has caused the procedural process to grind to a halt, against the backdrop of a UN budgetary crisis.

The pioneering treaty, which aims to establish a global framework for preventing, investigating and prosecuting cybercrime by promoting international cooperation and harmonized legal standards, achieved an impressive 72 signatures at its signing ceremony in Hanoi, Vietnam, in October 2025. However, after months of informal negotiations, its Ad Hoc Committee cannot agree on the way forward.

The committee, a negotiating body consisting of delegates from all UN member states, met in Vienna at the end of January with a mandate to decide the rules of procedure for the convention’s decision-making body, the Conference of the States Parties. However, due to a lack of consensus, the treaty currently has no institutional framework for implementation once it enters into force.

No middle ground

As in previous UN policy negotiations in Vienna, the question of whether non-state observers – from civil society, the private sector, academia and international organizations – should be included in the convention’s processes was the main sticking point. Russia and the African Group, represented by Egypt, led the campaign against open engagement, while the EU and various other Western states, as well as Japan and some Latin American countries, including Colombia, held the opposite view. The US, previously a leading voice in the Ad Hoc Committee, faces significant domestic opposition to the treaty, and ‘continues to review and consider’ its position. It was notably absent from the discussions.

The draft set of rules of procedure produced by the treaty Secretariat included two models for the involvement of non-state observers. Both were based on the UN Convention against Transnational Organized Crime (UNTOC) and UN Convention against Corruption, which provide limited access to observers. The first option proposed the broad participation of stakeholders in conference meetings and automatic attendance rights for groups with Economic and Social Council (ECOSOC) consultative status – the UN’s principal NGO accreditation. This version was favoured by the Western bloc. The second approach, supported by the African Group, Iran, Russia and North Korea, among others, called for a much more stringent vetting process for non-state applicants.

On the first day of the meeting, the newly elected chair, Eduardo Paes Saboia (the Brazilian Ambassador to the UN in Vienna), urged the committee to uphold multilateralism by presenting solutions that would allow stakeholder voices to be included in treaty discussions while ensuring that the process remained intergovernmental. Various solutions were put forward that combined aspects of the two polarized positions. Most proposed that all ECOSOC organizations be accepted automatically, that there be a straightforward application procedure for others (with states having the ability to object), and that restrictions be placed on participation in certain bodies. Ultimately, however, none of the compromises were agreed upon by consensus.

No further meetings on the issue will take place until the next formal session in January 2027, and discussions about potential additional protocols to the convention – an objective championed by Russia – will have to wait until the rules of procedure have been finalized. At the close of the meeting, Saboia expressed his disappointment in strong terms, pleading for better cooperation within the committee to deliver results in the face of the growing threat of digital criminality. ‘The fight against cybercrime loses, cybercriminals are very happy with the result, they are cheering. Second, the UN loses,’ he said. ‘I think we need to have a deep reflection about this process and where it’s heading. What is the purpose of having a convention if we are going to work on this basis?’

Lessons from the UNTOC review mechanism – a failing model

The countries pushing for open participation argued that cybercrime cannot be tackled by governments alone, and that the private sector and civil society will be vital to supporting the implementation of the convention. They also asserted that emulating the closed model of the UNTOC Conference of the States Parties should be avoided, due to the restrictions it places on participation in subsidiary bodies – the technical working groups created to focus on individual issues.

The GI-TOC has consistently emphasized that the lack of engagement in this area is one of the main reasons the UNTOC’s review mechanism is failing and why its implementation is impossible to monitor. If the cybercrime convention follows the same approach, it risks suffering the same fate.

But countries opposed to the participation of non-state stakeholders in subsidiary bodies insisted that as the conference is an intergovernmental process, these groups should be excluded. They also maintained that clear restrictions should be in place regarding the subjects observers are permitted to discuss – particularly regarding the criticism of governments – and that states should have broad rights to object to any organization’s involvement.

The suggested compromise solutions included versions in which stakeholders who passed the vetting process might, in theory, be invited to subsidiary bodies, while still being excluded from specific state-only meetings and restricted from discussing certain topics. Ultimately, however, any version that allowed stakeholders to attend subsidiary meetings was deemed unacceptable by certain states, who were determined to adhere to the restrictive UNTOC model. The African Group was most emphatic, formally rejecting the chair’s final compromise on the last day of the meeting.

Fiscal pressures compound the problem

Another major challenge affecting the process is the UN’s current funding crisis. In January, Secretary-General António Guterres warned of the body’s ‘imminent financial collapse’, caused by member states’ non-payment of fees. Because of these constraints, the portion of the budget previously allocated to Vienna-based UN processes has been cut, and the secretariat of the cybercrime convention is unusually small and cash-strapped. Illustratively, the funding provided for the meeting could not cover a full week of interpretation, with the Vietnamese government stepping in to make up the shortfall, following its hosting of the signing ceremony last year.

Given the financial situation, it would be far more practicable to adopt a single set of open and efficient rules for the cybercrime treaty, rather than replicating the duplicative model of the UNTOC conference working groups (for states only) and constructive dialogues (for states and observers). It is worth noting that funding for in-person UNTOC constructive dialogues has in fact been withdrawn; from this year, they will only take place online.

The lack of progress in Vienna does not bode well for the first global cybercrime treaty. Continued opposition to multi-stakeholder participation only exacerbates the challenge, especially at a time when both the UN and multilateralism itself are under threat. The position taken by the UN Office on Drugs and Crime’s incoming executive director will be critical in steering the process forward and proving the value and potential of this new instrument. Success, however, will depend on accessing the resources, expertise and knowledge of experts and institutions outside government.